VBAAC Bypass – Verb Based Authentication and Access Control.

This post would be dedicated to VBAAC bypass which is detailed in the ongoing research documentation I had been doing. The part of this series belongs to ‘Web Application Exploitation’ and has been pinned to this post for personal purpose of reference. Work had just exploded and for the need to trace back everything that is being done, everything about the paper goes here. The belongings of this post are entirely devoted for personal research. The blog itself is personal.

What is covered in VBAAC Bypass:

Concept of Server Side controls.

HTTP RFC’s for ‘verbs’.

WebDAV ‘verbs’ or ‘methods’.

Access control mechanisms via apache.

Configuring Apache to make use of access control mechanism configurations.

The entire documentation encircles creating a web application first, prior to bypassing authentication on them. Because URL based authentication are protect resources on ‘Basic’ or ‘Digest’ authentication, a very brief knowledge on HTTP standardized ‘verb’ is provided. This would be required throughout the document processing. A good amount of WebDAV verbs are also provided with attached RFC’s. Samples of the work is attached below and is for private purposes only. The document isn’t public.

Verb 0

Verb 1

Verb 2

Verb 3

Verb 4

Verb 5

Had a great day going ahead and improving drafting skills and had been undergoing good grip onto web application penetration testing from within the corporate companies. The point of the research is to bring back the real penetration testing scenario around the general and aware the security eroded cultural mis-aware people out there. Have a great weekend ahead!